Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

subscribe security #487

Open
Phorum opened this Issue Jun 11, 2011 · 1 comment

Comments

Projects
None yet
1 participant
@ghost

ghost commented Jun 11, 2011

For later on, to check:

In phorum_user_subscribe (soon to be phorum_api_user_subscribe()), I found the following code:
{{{
function phorum_user_subscribe( $user_id, $forum_id, $thread, $type )
{
$list=phorum_user_access_list( PHORUM_USER_ALLOW_READ );
if(!in_array($forum_id, $list)) return;
return phorum_db_user_subscribe( $user_id, $forum_id, $thread, $type );
}
}}}

How does this work if a user with a subscription is revoked read permissions? Will he still get the messages for the subscription or is that stopped?

Reported by: mmakaay
Imported from TRAC: http://trac.phorum.org/ticket/586

@ghost

ghost commented Jun 11, 2011

he will still get messages.
its too expensive to check for read-permissions for all subscribed users.

By: ts77

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment